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Summary 

The Computer Fraud and Abuse Act (CFAA), 18 U.S.C. 1030, outlaws conduct that victimizes 
computer systems. It is a cyber security law. It protects federal computers, bank computers, and 
computers connected to the Internet. It shields them from trespassing, threats, damage, espionage, 
and from being corruptly used as instruments of fraud. It is not a comprehensive provision, but 
instead it fills cracks and gaps in the protection afforded by other federal criminal laws. This is a 
brief sketch of CFAA and some of its federal statutory companions, including the amendments 
found in the Identity Theft Enforcement and Restitution Act, RL. 110-326, 122 Stat. 3560 (2008). 

In their present form, the seven paragraphs of subsection 1030(a) outlaw 

• computer trespassing (e.g., hacking) in a government computer, 18 U.S.C. 

1030(a)(3); 

• computer trespassing (e.g., hacking) resulting in exposure to certain 
governmental, credit, financial, or computer-housed information, 18 U.S.C. 

1030(a)(2); 

• damaging a government computer, a bank computer, or a computer used in, or 
affecting, interstate or foreign commerce (e.g., a worm, computer virus, Trojan 
horse, time bomb, a denial of service attack, and other forms of cyber attack, 
cyber crime, or cyber terrorism), 18 U.S.C. 1030(a)(5); 

• committing fraud an integral part of which involves unauthorized access to a 
government computer, a bank computer, or a computer used in, or affecting, 
interstate or foreign commerce, 18 U.S.C. 1030(a)(4); 

• threatening to damage a government computer, a bank computer, or a computer 
used in, or affecting, interstate or foreign commerce, 18 U.S.C. 1030(a)(7); 

• trafficking in passwords for a government computer, or when the trafficking 
affects interstate or foreign commerce, 18 U.S.C. 1030(a)(6); and 

• accessing a computer to commit espionage, 18 U.S.C. 1030(a)(1). 

Subsection 1030(b) makes it a crime to attempt or conspire to commit any of these offenses. 
Subsection 1030(c) catalogs the penalties for committing them, penalties that range from 
imprisonment for not more than a year for simple cyberspace trespassing to a maximum of life 
imprisonment when death results from intentional computer damage. Subsection 1030(d) 
preserves the investigative authority of the Secret Service. Subsection 1030(e) supplies common 
definitions. Subsection 1030(f) disclaims any application to otherwise permissible law 
enforcement activities. Subsection 1030(g) creates a civil cause of action for victims of these 
crimes. Subsections 1030(i) and (j) authorize forfeiture of tainted property. 

This report is available in abbreviated form — without the footnotes, citations, quotations, or 
appendixes found in this report — under the title CRS Report RS20830, Cybercrime: A Sketch of 
18 U.S.C. 1030 and Related Federal Criminal Laws, by Charles Doyle. 
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Introduction 

The Computer Fraud and Abuse Act (CFAA), 18 U.S.C. 1030, 1 protects computers in which there 
is a federal interest — federal computers, bank computers, and computers used in or affecting 
interstate and foreign commerce. It shields them from trespassing, threats, damage, espionage, 
and from being corruptly used as instruments of fraud. It is not a comprehensive provision; 
instead it fills cracks and gaps in the protection afforded by other state and federal criminal laws. 
It is a work that over the last three decades, Congress has kneaded, reworked, recast, amended, 
and supplemented to bolster the uncertain coverage of the more general federal trespassing, 
threat, malicious mischief, fraud, and espionage statutes. 2 This is a brief description of §1030 and 
its federal statutory companions. There are other laws that address the subject of crime and 
computers. CFAA deals with computers as victims; other laws deal with computers as arenas for 
crime or as repositories of the evidence of crime or from some other perspective. These other 
laws — laws relating to identity theft, obscenity, pornography, gambling, among others — are 
beyond the scope of this report. 3 

In their present form, the seven paragraphs of subsection 1030(a) outlaw 

• computer trespassing in a government computer, 18 U.S.C. 1030(a)(3); 



1 The foil text of 18 U.S.C. 1030 can be found at the end of this report. Earlier versions of this report appeared under 
the title. Computer Fraud and Abuse: An Oven’iew of 18 U.S.C. 1030 and Related Federal Criminal Laws. 

2 Congressional inquiry began no later than 1976, S. Comm, on Government Operations, Problems Associated with 
Computer Technology in Federal Programs and Private Industry — Computer Abuses , 94 th Cong., 2d Sess. (1976) 
(Comm.Print). Hearings were held in successive Congresses thereafter until passage of the original version of §1030 as 
part of the Comprehensive Crime Control Act of 1984, P.L. 98-473, 98 Stat. 2190; e.g ., Federal Computer Systems 
Protection Act: Hearings Before the Subconun. on Criminal Laws and Procedures of the Senate Comm, on the 
Judiciary, 95 th Cong., 2d Sess. (1978); S. 240, the Computer Systems Protection Act of 1979: Hearings Before the 
Subcomm. on Criminal Justice of the Senate Comm, on the Judiciary, 96 th Cong., 2d Sess.(1980); Federal Computer- 
System Protection Act, H.R. 3970: Hearings Before the House Comm, on the Judiciary, 97 th Cong., 2d Sess. (1982); 
Computer Crime: Hearings Before the House Comm, on the Judiciary, 98 th Cong., 1 st Sess. (1983). 

Refurbishing of the original 1984 legislation occurred in 1986, 1988, 1989, 1990, 1994, and 1996: P.L. 99-474, 100 
Stat. 1213; P.L. 100-690, 102 Stat. 4404; P.L. 101-73, 103 Stat. 502; P.L. 101-647, 104 Stat. 4831; P.L. 103-322, 108 
Stat. 2097; P.L. 104-294, 110 Stat. 3491. Most recently, both the USA PATRIOT Act, P.L. 107-56, 115 Stat. 272 
(2001), the Department of Homeland Security Act, P.L. 107-296, 116 Stat. 2135 (2002), and the Identity Theft 
Enforcement and Restitution Act of 2008, Title II of P.L. 1 10-326, 122 Stat. 3560 (2008) amended provisions of the 
section. 

For a chronological history of the statute up to but not including the 1996 amendments, see Adams, Controlling 
Cyberspace: Applying the Computer Fraud and Abuse Act to the Internet, 12 Santa Clara Computer & High 
Technology Law Journal 403 (1996). For a general description of the validity and application of this act, see 
Buchman, Validity, Construction, and Application of Computer Fraud and Abuse Act, 174 ALRFed. 101; Prosecuting 
Intellectual Property Crimes, Computer Crime and Intellectual Property Section, Criminal Division, United 
States Department of Justice (4 th ed.)[(2013)](Do/ Computer Crime), available at 

http://www.justice.gov/criminaFcybercrime/docs/prosecuting_ip_crimes_manual_2013_pdf and Prosecuting Computer- 
Crimes, Computer Crime and Intellectual Property Section, Criminal Division, United States Department 
OF Justice [(2010 )\(DoJ Cyber Crime), available at http://www.justice.gov/criminal/cybercrime/docs/ccmanual.pdf. 

3 For a discussion of these and similar matters see, Twenty-Eighth Survey of White Collar Crime: Computer Crimes, 50 
American Criminal Law Review 68 1 (20 13); DoJ Cyber Crime; CRS Report R40599, Identity Theft: Trends and 
Issues, by Kristin F inklea; CRS Report 98-670, Obscenity, Child Pornography, and Indecency: Brief Background and 
Recent Developments, by Kathleen Ann Ruane; CRS Report 97-619, Internet Gambling: An Overview of Federal 
Criminal Law, by Charles Doyle; Kerr, Applying The Fourth Amendment to the Internet: A General Approach, 62 
Stanford Law Review 1005 (2010); Mehra, Law and Cybercrime in the United States Today, 58 American Journal 
of Comparative Law 659 (2010). 
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• computer trespassing resulting in exposure to certain governmental, credit, 
financial, or computer-housed information, 18 U.S.C. 1030(a)(2); 

• damaging a government computer, a bank computer, or a computer used in, or 
affecting, interstate or foreign commerce, 18 U.S.C. 1030(a)(5); 

• committing fraud an integral part of which involves unauthorized access to a 
government computer, a bank computer, or a computer used in, or affecting, 
interstate or foreign commerce, 18 U.S.C. 1030(a)(4); 

• threatening to damage a government computer, a bank computer, or a computer 
used in, or affecting, interstate or foreign commerce, 18 U.S.C. 1030(a)(7); 

• trafficking in passwords for a government computer, or when the trafficking 
affects interstate or foreign commerce, 18 U.S.C. 1030(a)(6); and 

• accessing a computer to commit espionage, 18 U.S.C. 1030(a)(1). 

Subsection 1030(b) makes it a crime to attempt or conspire to commit any of these offenses. 
Subsection 1030(c) catalogs the penalties for committing them, penalties that range from 
imprisonment for not more than a year for simple cyberspace trespassing to imprisonment for not 
more than 20 years for a second espionage-related conviction and to life imprisonment for death- 
result offenses. Subsection 1030(d) preserves the investigative authority of the Secret Service. 
Subsection 1030(e) supplies common definitions. Subsection 1030(f) disclaims any application to 
otherwise permissible law enforcement activities. Subsection 1030(g) creates a civil cause of 
action for victims of these crimes. Subsection 1030(h), which has since expired, called for annual 
reports through 1999 from the Attorney General and Secretary of the Treasury on investigations 
under the damage paragraph (18 U.S.C. 1030(a)(5)). And subsections 1030(i) and (j) authorize 
the confiscation of property generated by, or used to facilitate the commission of, one of the 
offenses under subsection 1030(a) or (b). 

Trespassing in Government Cyberspace 
(18 U.S.C. 1030(a)(3)) 

(a) Wlioever ... (3) intentionally, without authorization to access any nonpublic computer 4 of 
a department or agency of the United States, 5 accesses such a computer of that department 
or agency that is exclusively for the use of the Government of the United States or, in the 
case of a computer not exclusively for such use, is used by or for the Government of the 
United States and such conduct affects that use by or for the Government of the United States 
... shall be punished as provided in subsection (c) of this section. 

(b) Whoever attempts to commit an offense under subsection (a) of this section shall be 
punished as provided in subsection (c) of this section. 



4 “(e) As used in this section ... (1) the tern ‘computer’ means an electronic, magnetic, optical, electrochemical, or 
other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data 
storage facility or communications facility directly related to or operating in conjunction with such device, but such 
tern does not include an automated typewriter or typesetter, a portable hand held calculator, or other similar device,” 

18 U.S.C. 1030(e)(1). 

5 “(e) As used in this section ... (7) the tern ‘department of the United States’ means the legislative or judicial branch of 
the Government or one of the executive departments enumerated in [sjection 101 of title 5,” 18 U.S.C. 1030(e)(7). 
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Paragraph 1030(a)(3) condemns unauthorized intrusion (“hacking”) into federal government 
computers whether they are used exclusively by the government or the government shares access 
with others. With the help of subsection 1030(b) it also outlaws attempted intrusions and 
conspiracies to intrude. In the case of shared computers, a crime only occurs if the unauthorized 
access “affects ... use by or for” the government or would affect such use if an attempted effort 
had succeeded. 6 

Broken down into its elements, paragraph (a)(3) makes it unlawful for anyone to 

• without authorization 

• intentionally 

• either 

- access a government computer maintained exclusively for the use of the federal 
government, 

- access a government computer used, at least in part, by or for the federal government 
and the access affects use by or for the federal government, 

- attempts to do so (18 U.S.C. 1030(b)) or 

- conspires to do so (18 U.S.C. 1030(c)). 

This pure trespassing proscription dates from 1986 and its legislative history leaves little doubt 
that nothing more than unauthorized entry is required: 

“[SJection 2(b) will clarify the present 18 U.S.C. 1030(a)(3), making clear that it applies to 
acts of simple trespass against computers belonging to, or being used by or for, the Federal 
Government. The Department of Justice and others have expressed concerns about whether 
the present subsection covers acts of mere trespass, i.e., unauthorized access, or whether it 
requires a further showing that the information perused was ‘used, modified, destroyed, or 
disclosed.’ To alleviate those concerns, the Committee wants to make clear that the new 
subsection will be a simple trespass offense, applicable to persons without authorized access 
to Federal computers.” 7 



Intent 

The paragraph only bans “intentional” trespassing. The reports are instructive here, for they make 
it apparent that the element cannot be satisfied by a mere inadvertent trespass and nothing more. 

It is intended, however, to cover anyone who purposefully accomplishes the proscribed 
unauthorized entry into a government computer, and, at least in the view of the House report, 
anyone “whose initial access was inadvertent but who then deliberatively maintains access after a 
non-intentional initial contact.” 8 



6 18 U.S.C. 1030(a)(3). 

7 S.Rept. 99-432 at 7 (1986); see also, H.Rept. 99-612 at 1 1 (1986). 

* H.Rept. 99-612 at 9-10 (1986); see also, S.Rept. 99-432 at 5-6 (1986). 
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Unauthorized Access 

While the question of what constitutes “access without authorization” might seem fairly 
straightforward, Congress was willing to accept a certain degree of trespassing by government 
employees in order to protect whistleblowers: 

The Committee wishes to be very precise about who may be prosecuted under the new 
subsection (a)(3). The Committee was concerned that a Federal computer crime statute not 
be so broad as to create a risk that government employees and others who are authorized to 
use a Federal Government computer would not face prosecution for acts of computer access 
and use that, while technically wrong, should not rise to the level of criminal conduct. At the 
same time, the Committee was required to balance its concern for Federal employees and 
other authorized users against the legitimate need to protect Government computers against 
abuse by “outsiders.” The Committee struck that balance in the following manner. 

In the first place, the Committee has declined to criminalize acts in which the offending 
employee merely ‘exceeds authorized access’ to computers in his own department 
(“department” 1 is defined in [sjection 2(g) of S. 2281 [now 18 U.S.C. 1030(e)(7)]). It is not 
difficult to envision an employee or other individual who, while authorized to use a 
particular computer in one department, briefly exceeds his authorized access and peruses 
data belonging to the department that he is not supposed to look at. This is especially true 
where the department in question lacks a clear method of delineating which individuals are 
authorized to access certain of its data. The Committee believes that administrative sanctions 
are more appropriate than criminal punishment in such a case. The Committee wishes to 
avoid the danger that every time an employee exceeds his authorized access to his 
department’s computers — no matter how slightly — he could be prosecuted under this 
subsection. That danger will be prevented by not including “exceeds authorized access” as 
part of this subsection’s offense. 

In the second place, the Committee has distinguished between acts of unauthorized access 
that occur within a department and those that involve trespasses into computers belonging to 
another department. The former are not covered by subsection (a)(3); the latter are. Again, it 
is not difficult to envision an individual who, while authorized to use certain computers in 
one department, is not authorized to use them all. The danger existed that S. 2281, as 
originally introduced, might cover every employee who happens to sit down, within his 
department, at a computer terminal which he is not officially authorized to use. These acts 
can also be best handled by administrative sanctions, rather than by criminal punishment. To 
that end, the Committee has constructed its amended version of (a)(3) to prevent prosecution 
of those who, while authorized to use some computers in their department, use others for 
which they lack the proper authorization. By precluding liability in purely ‘insider’ cases 
such as these, the Committee also seeks to alleviate concerns by Senators Mathias and Leahy 
that the existing statute cases a wide net over “whistleblowers”.... 

The Committee has thus limited 18 U.S.C. 1030(a)(3) to cases where the offender is 
completely outside the Government, and has no authority to access a computer of any agency 
or department of the United States, or where the offender’s act of trespass is 
interdepartmental in nature. The Committee does not intend to preclude prosecution under 
this subsection if, for example, a Labor Department employee authorized to use Labor’s 
computers accesses without authorization an FBI computer. An employee who uses his 
department’s computer and, without authorization, forages into data belonging to another 
department is engaged in conduct directly analogous to an ‘outsider’ tampering with 
Government computers.... 
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The Committee acknowledges that in rare circumstances this may leave serious cases of 
intradepartmental trespass free from criminal prosecution under (a)(3). However, the 
Committee notes that such serious acts may be subject to other criminal penalties if, for 
example, they violate trade secrets laws or 18 U.S.C. 1030(a)(1), (a)(4), (a)(5), or (a)(6), as 
proposed in this legislation. 9 



Affects the Use 

Trespassing upon governmental computer space on computers that are not exclusively for 
governmental use is prohibited only when it affects use by the government or use for 
governmental purposes. The committee reports provide a useful explanation of the distinctive, 
“affects-the-use” element of the trespassing ban: 

[Tjrespassing in a computer used only part-time by the Federal Government need not be 
shown to have affected the operation of the government as a whole. The Department of 
Justice has expressed concerns that the present subsection’s language could be construed to 
require a showing that the offender’s conduct would be an exceedingly difficult task for 
Federal prosecutors. Accordingly, [sjection 2(b) will make clear that the offender’s conduct 
need only affect the use of the Government’s operation of the computer in question [or the 
operation of the computer in question on behalf of the Government]. S.Rept. 99-432 at 6-7 
(1986); see also, H.Rept. 99-612 at 11 (1986); S.Rept. 104-357 at 9 (1996). 



Jurisdiction 

The reports offer little insight into the meaning of the third element — what computers are 
protected from trespassing. There may be two reasons. Paragraph 1030(a)(3) protects only 
government computers and therefore explanations of the sweep of its coverage in the area of 
interstate commerce or of financial institutions are unnecessary. Besides, at least for purposes of 
these trespassing offenses of paragraph 1030(a)(3), the statute itself addresses several of the 
potentially more nettlesome questions. 

First, the construction of the statute itself strongly suggests that it reaches only computers owned 
or leased by the federal government: “whoever ... without authorization to access any nonpublic 
computer of a department or agency of the United States, accesses such a computer of that 
department or agency. ...” 

Second, the language of the statute indicates that “nonpublic” computers may nevertheless 
include government computers that the government allows to be used by nongovernmental 
purposes: “in the case of a [government] computer not exclusively for the use of the Government 
of the United States....” 

Third, the statute covers government computers that are available to nongovernment users: 
“accesses such a computer ... that ... in the case of a [government] computer not exclusively for 
the use of the Government of the United States, is used by or for the Government of the United 
States....” The use of the term “nonpublic,” however, makes it clear that this shared access may 
not be so broad as to include the general public. 



9 S.Rept. 99-432 at 7-8 (1986); see also, H.Rept. 99-612 at 1 1 (1986). 



Congressional Research Service 



5 



